Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 26 Nov 2007 22:49:35 -0800
From:      "Ted Mittelstaedt" <tedm@toybox.placo.com>
To:        "Jerahmy Pocott" <quakenet1@optusnet.com.au>
Cc:        FreeBSD Questions <freebsd-questions@freebsd.org>
Subject:   RE: Difficulties establishing VPN tunnel with IPNAT
Message-ID:  <BMEDLGAENEKCJFGODFOCIECDCFAA.tedm@toybox.placo.com>
In-Reply-To: <BAB927D6-8DFA-46CB-95D2-61E60DD90F64@optusnet.com.au>

next in thread | previous in thread | raw e-mail | index | archive | help


> -----Original Message-----
> From: Jerahmy Pocott [mailto:quakenet1@optusnet.com.au]
> Sent: Sunday, November 25, 2007 4:48 AM
> To: Ted Mittelstaedt
> Cc: FreeBSD Questions
> Subject: Re: Difficulties establishing VPN tunnel with IPNAT
>
>
> Perhaps, but I'v heard a lot of good things about IPF and IPNAT,
> especially since the nat is all in kernel where as natd is userland, so
> there is a slight performance boost possibly there as well..
>

I will address this one point here since it's enough to make
someone scream, it's such an old chestnut.

natd is always criticized because going to userland is slow.  So,
people who have slowness problems think that is the issue.

In reality, the problem is that the DEFAULT setup and man page
examples for natd use the following ipfw divert rule:

       /sbin/ipfw -f flush
       /sbin/ipfw add divert natd all from any to any via ed0
       /sbin/ipfw add pass all from any to any

This produces a rule such as the following:

00050  divert 8668 ip from any to any via de0

The problem though, is this is wrong.  What it is doing is that
ALL traffic that comes into and out of the box - no matter what
the source and destination is - will be passed to the natd translator.

What you SHOULD be using is a set of commands such:

ipfw add divert natd ip from any to [outside IP address] in recv [outside
interface]
ipfw add divert natd ip from not [outside IP address] to any out recv
[inside interface] xmit [outside interface]

What these rules do is ONLY pass traffic to natd that needs natting -
that is, traffic that is passing through the FreeBSD box onward to
the Internet.  Traffic that is broadcast, or traffic that is a destination
of the nat box itself (such as if the nat box is also running a proxy
server, mailserver, fileserver, etc.) or sourced from the nat box, is
NOT passed to natd.

There are some pretty fast Internet connections circuits out there
these days - DSL and Cable can both offer up to 10Mbt of bandwidth.
But, these are nothing compared to the bandwidth of a 100BaseT ethernet
card, or the PCI bus of a computer.  If someone is saturating their
natd with filesharing traffic to the nat box, why then no wonder they
are seeing things run slow.

Ted




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?BMEDLGAENEKCJFGODFOCIECDCFAA.tedm>